Paloalto Networks Updated PCNSE Exam Questions and Answers by sana

traffic log would list an application as “not-applicable” if the firewall denied the traffic before the application match could be performed. This can happen if the traffic matches a security rule that is set to deny based on any parameter other than the application, such as source, destination, port, service, etc1. In this case, the firewall does not inspect the application data and discards the traffic, resulting in a “not-applicable” entry in the application field of the traffic log1.

To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:

B. Define a Forward Trust Certificate:

A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.

C. Configure SSL decryption rules:

SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.

Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.